NANOG 64 recordings

2015-06-03 Thread Sadiq Saif
Hi all,

For those that missed them:
https://www.youtube.com/playlist?list=PLO8DR5ZGla8ju3ftZv_S6L12jBkZKEJVZ

-- 
Sadiq Saif (AS393949)
https://staticsafe.ca


Re: BGP in the Washngton Post

2015-06-03 Thread Scott Weeks


--- larryshel...@cox.net wrote:
From: Larry Sheldon 
On 6/2/2015 00:27, Scott Weeks wrote:

> Great article for the WP and they asked good questions from
> the correct people, but I have to take issue with the lack
> of network operator's participation comments:
>
> : But getting network operators to participate is proving
> : difficult.
>
> : Many network operators also are cool to taking the further
> : step of adopting a secure new routing protocol called BGPSEC
> : to replace BGP.
>
> : “Unless [network] operators can see that the benefits will
> : generally outweigh the costs, they just won’t deploy it.”
>
> It's more that the managers who have no idea what is going on
> are forcing operators to focus their attention elsewhere, rather
> than the important things until everyone's behind the 8-ball.
> Then, all of the sudden, the mostly clueless managers are all
> about it.  But, by then it's too late.  Farting in a hurricane
> and hoping it makes a difference... ;-)

Pardon me, (and please forgive me if I am wrong), but I think that from 
the viewpoints of the Washington Post, its readers, and probably all of 
humanity save the view on this list, the MANAGEMENT of the several ISP 
firms and organizations IS "the operators".

Folks out on the operating floor don't really exist.
--


No, looking at it the way you phrase it, you're not wrong. To me, 
the operators are the folks with the technical know how and the 
admin password.  I guess I have been out on the raggedy edges 
(likely soon to change...) too long and I am not used to managers 
that have any understanding of network operations/engineering.  
But I do understand what you're saying. And I'm on the list. ;-)

scott


Re: BGP in the Washngton Post

2015-06-03 Thread Larry Sheldon

On 6/2/2015 00:27, Scott Weeks wrote:


Great article for the WP and they asked good questions from
the correct people, but I have to take issue with the lack
of network operator's participation comments:

: But getting network operators to participate is proving
: difficult.

: Many network operators also are cool to taking the further
: step of adopting a secure new routing protocol called BGPSEC
: to replace BGP.

: “Unless [network] operators can see that the benefits will
: generally outweigh the costs, they just won’t deploy it.”

It's more that the managers who have no idea what is going on
are forcing operators to focus their attention elsewhere, rather
than the important things until everyone's behind the 8-ball.
Then, all of the sudden, the mostly clueless managers are all
about it.  But, by then it's too late.  Farting in a hurricane
and hoping it makes a difference... ;-)


Pardon me, (and please forgive me if I am wrong), but I think that from 
the viewpoints of the Washington Post, its readers, and probably all of 
humanity save the view on this list, the MANAGEMENT of the several ISP 
firms and organizations IS "the operators".


Folks out on the operating floor don't really exist.

--
sed quis custodiet ipsos custodes? (Juvenal)


Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

2015-06-03 Thread Budiwijaya
Yep, definitely i'll give this a trial run.
We are developing nullroute application internally.
I'll try to run this in our lab.

On Wed, Jun 3, 2015 at 3:16 AM, Pavel Odintsov  wrote:
> Hello, Nanog!
>
> I'm very pleased to present my open source DoS/DDoS attack monitoring
> toolkit here!
>
> We have spent about 10 months for development of FastNetMon and could
> present huge feature list now! :)
>
> Stop! What is FastNetMon?
>
> It's really very fast toolkit which could find attacked host in your
> network and block it (or redirect to filtering appliance)
>
> This solution could save your network and your sleep :)
>
> Our site located here: https://github.com/FastVPSEestiOu/fastnetmon
>
> We support following engines for traffic capture:
> - Netflow (v5, v9 and IPFIX)
> - sFLOW v5
> - port mirror/SPAN (PF_RING and netmap supported)
>
> Also we have deep integration with ExaBGP (huge thanks to Thomas
> Mangin) for triggering blackhole on the Core Router or upstream.
>
> Since 1.0 version we have added support for following features:
> - Ability to detect most popular attack types: syn_flood, icmp_flood,
> udp_flood, ip_fragmentation_flood
> - Add support for Netmap for Linux (we have prepared special driver
> for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap)
> and FreeBSD.
> - Add support for PF_RING ZC (very fast but need license from ntop folks)
> - Add ability to collect netflow v9/IPFIX data from multiple devices
> with different templates set
> - Basic support for IPv6 (we could receive netflow data over IPv6)
> - Add plugin support for capture engines
> - Add support of L2TP decapsulation (important for DDoS attack
> detection inside tunnel)
> - Add ability to store attack details in Redis
> - Add Graphite/Grafana integration for traffic visualization
> - Add systemd unit file
> - Add ability to unblock host after some timeout
> - Introduce support of moving average for all counters
> - Add ExaBGP integration. We could announce attacked host with BGP to
> border router or uplink
> - Add so much details in attack report
> - Add ability to store attack fingerprint in file
>
> We have complete support for following platforms:
> - Fedora 21
> - Debian 6, 7, 8
> - CentOS 6, 7
> - FreeBSD 9, 10, 11
> - DragonflyBSD 4
> - MacOS X 10.10
>
> From network equipment side we have tested solution with:
> - Cisco ASR
> - Juniper MX
> - Extreme Summit
> - ipt_NETFLOW Linux
>
> We have binary packages for this operation systems:
> - CentOS 6: 
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6
> - CentOS 7: 
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7
> - Fedora 21: 
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21
> - FreeBSD: 
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port
>
> For any other operation systems we recommend automatic installer
> script: 
> https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md
>
> Please join to our mail list or ask about anything here
> https://groups.google.com/forum/#!forum/fastnetmon
>
> Thank you for your attention!
>
> --
> Sincerely yours, Pavel Odintsov


Re: AWS Elastic IP architecture

2015-06-03 Thread Rafael Possamai
we are starting to waste packets arguing over some private intellectual
property

On Wed, Jun 3, 2015 at 3:24 PM, Christopher Morrow 
wrote:

> On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong  wrote:
> > For example, let’s say you have 20 machines for whom you want to allow
> inbound SSH access. In the IPv4 world, with NAT, you have to configure an
> individual port mapping for each machine and you have to either configure
> all of the SSH clients, or, specify the particular port for the machine you
> want to get to on the command line.
>
> in the original case in question the fact that there's nat happeng
> isn't material... so all of this discussion of NAT is a red herring,
> right? the user of AWS services cares not that 'nat is happening',
> because they can simply RESTful up a VM instance and ssh into it in
> ~30 seconds, no config required.
>
> let's skip all NAT discussions on this topic from here on out, yes?
>


Re: AWS Elastic IP architecture

2015-06-03 Thread Christopher Morrow
On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong  wrote:
> For example, let’s say you have 20 machines for whom you want to allow 
> inbound SSH access. In the IPv4 world, with NAT, you have to configure an 
> individual port mapping for each machine and you have to either configure all 
> of the SSH clients, or, specify the particular port for the machine you want 
> to get to on the command line.

in the original case in question the fact that there's nat happeng
isn't material... so all of this discussion of NAT is a red herring,
right? the user of AWS services cares not that 'nat is happening',
because they can simply RESTful up a VM instance and ssh into it in
~30 seconds, no config required.

let's skip all NAT discussions on this topic from here on out, yes?


Re: Routing Insecurity (Re: BGP in the Washington Post)

2015-06-03 Thread Danny McPherson

On 2015-06-01 22:07, Mark Andrews wrote:

If you have secure BGP deployed then you could extend the 
authenication

to securely authenticate source addresses you emit and automate
BCP38 filter generation and then you wouldn't have to worry about
DNS, NTP, CHARGEN etc. reflecting spoofed traffic.



I don't believe this is entirely true, and BGPSEC certainly doesn't 
solve most of what I'm concerned about from a routing security 
perspective.  See, e.g.:


https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04

That said, a Internet number resource certification infrastructure, be 
it RPKI or something with s single root and scalable(!), is certainly 
necessary, and can be used to bootstrap policy databases (e.g., IRRs) 
that address both the inter-domain routing (e.g., origin "validation") 
and data plane anti-spoofing security problems, and perhaps not require 
operators (enterprises and nation states alike) to trade the autonomy 
and flexibility they have in routing today for what others see as their 
infrastructure security needs.


After all, stability, resiliency, and availability are ALSO factors in 
the risk management gumbo that need to be considered by organizations, 
and the tight coupling of RPKI and BGPSEC as designed, are quite 
possibly not as attractive to some operators as the designers might 
suggest, particularly in light of new external dependencies, competitive 
markets, Internet governance, geopolitical climate, etc..


Many that haven't deployed or have lost interest in having the 
conversation have done so deliberately, and would prefer a routing by 
rumor paradigm that affords autonomy and flexibility to one where new 
control points and exorbitant costs and complexity simply scare the heck 
out of them, the primitives of which surely extend to many of the 
luminaries quoted in those articles.


YMMV,

-danny



RE: AWS Elastic IP architecture

2015-06-03 Thread Steve Mikulasik
IoT says your toaster will be uploading your breakfast to 10 social media 
accounts and your socks will be connected to the hospital. Your fridge is also 
a spambot now too!

http://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1

IoT means everything gets hacked. Maybe someone can make Cryptolocker to lock 
you out of your fridge until you pay a ransom. We are entering a whole new era 
of exciting vulnerabilities. 

Steve Mikulasik

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
valdis.kletni...@vt.edu
Sent: Wednesday, June 03, 2015 11:12 AM
To: Matthew Kaufman
Cc: nanog@nanog.org
Subject: Re: AWS Elastic IP architecture

On Tue, 02 Jun 2015 09:35:11 -0700, Matthew Kaufman said:
> Ah, the "IPv6 subnets are so big you can't find the hosts" myth.
>
> Let's see... to find which hosts are active in IPv6 I can:
> - run a popular web service that people connect to, revealing their 
> addresses

If your vulnerable laser printer or webcam is calling out to Hotmail or Google 
or whatever, you got *bigger* problems, dude



Re: AWS Elastic IP architecture

2015-06-03 Thread Valdis . Kletnieks
On Mon, 01 Jun 2015 21:25:52 -0700, Tony Hain said:

> Try https://snapchat.com and see if you ever get an IPv6 connection...

Obviously some gremlins got busy when they got called out on NANOG...

% wget https://www.snapchat.com
--2015-06-03 13:13:00--  https://www.snapchat.com/
Resolving www.snapchat.com (www.snapchat.com)... 2607:f8b0:400d:c06::79, 
74.125.22.121
Connecting to www.snapchat.com 
(www.snapchat.com)|2607:f8b0:400d:c06::79|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

index.html  [ <=>  ]   4.35K  --.-KB/s   in 0s

2015-06-03 13:13:03 (33.5 MB/s) - 'index.html' saved [4458]


When I hit it with Firefox, IPFox reports the connection is ipv6 as well (but
a bit harder to get a screenshot)...
..




pgpmszY2PpMWO.pgp
Description: PGP signature


Re: AWS Elastic IP architecture

2015-06-03 Thread Hugo Slabbert


On Wed 2015-Jun-03 13:11:34 -0400, valdis.kletni...@vt.edu 
 wrote:


On Tue, 02 Jun 2015 09:35:11 -0700, Matthew Kaufman said:

Ah, the "IPv6 subnets are so big you can't find the hosts" myth.

Let's see... to find which hosts are active in IPv6 I can:
- run a popular web service that people connect to, revealing their addresses


If your vulnerable laser printer or webcam is calling out to Hotmail or
Google or whatever, you got *bigger* problems, dude


Not to support Mr. Kaufman's line of reasoning, but:

https://h30495.www3.hp.com/c/46775/US/en/?jumpid=in_R11549%2Feprintcenter
https://www.google.com/cloudprint/#printers

:(


signature.asc
Description: Digital signature


Re: AWS Elastic IP architecture

2015-06-03 Thread Valdis . Kletnieks
On Tue, 02 Jun 2015 09:35:11 -0700, Matthew Kaufman said:
> Ah, the "IPv6 subnets are so big you can't find the hosts" myth.
>
> Let's see... to find which hosts are active in IPv6 I can:
> - run a popular web service that people connect to, revealing their addresses

If your vulnerable laser printer or webcam is calling out to Hotmail or
Google or whatever, you got *bigger* problems, dude


pgpwEPrx2fNiK.pgp
Description: PGP signature


Re: BGP offloading (fixing legacy router BGP scalability issues)

2015-06-03 Thread Frederik Kriewitz
On Mon, May 11, 2015 at 8:38 PM, Chaim Rieger  wrote:
> Freddy, did you get your test up ?

Finally had some time to setup a lab environment and do some basic
testing regarding the fully transparent approach mentioned in the
initial email.
My biggest concern was that the cisco wouldn't like packets with it's
own MAC source address. But luckily it's dumb enough to just forward
them.
Hacked together a small scapy program to implement "selective proxy
ARP/NDP spoofing".
It's working perfectly fine in my lab setup.

As it turns out a quick reality check on our peering ports shows that
most BGP implementations are correctly setting TTL to 1 for ebgp
sessions by default.
That of course breaks my initial plan to just route the BGP packets to
the server (cisco will drop them due to TTL expiration).
Using a vlan access-map it might be possible to redirect the packets
to another interface to fix that.
The worst case solution for that should be a RSPAN session with
corresponding filter.

Essentially all the bricks are there, they just need to be assembled.

Best Regards,
Freddy


Re: AWS Elastic IP architecture

2015-06-03 Thread Matthew Kaufman

On 6/3/2015 4:56 AM, Owen DeLong wrote:


On Jun 2, 2015, at 4:08 PM, Matthew Kaufman > wrote:



On 6/2/15 2:35 AM, Owen DeLong wrote:
On Jun 2, 2015, at 5:49 AM, Matthew Kaufman > wrote:


On 6/1/2015 6:32 PM, Mark Andrews wrote:
In message 
mailto:CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1ffwxrn6k-...@mail.gmail.com>

, Christopher Morrow writes:
On Mon, Jun 1, 2015 at 9:02 PM, Ca By > wrote:
On Monday, June 1, 2015, Mark Andrews > wrote:

In message
>

, Christopher Morrow writes:

So... I don't really see any of the above arguments for v6 in a vm
setup to really hold water in the short term at least.  I 
think for
sure you'll want v6 for public services 'soon' (arguably like 
10 yrs
ago so you'd get practice and operational experience and ...) 
but for

the rest sure it's 'nice', and 'cute', but really not required for
operations (unless you have v6 only customers)

Everyone has effectively IPv6-only customers today.  IPv6 native +
CGN only works for services.  Similarly DS-Lite and 464XLAT.

ok, and for the example of 'put my service in the cloud' ... the
service is still accessible over ipv4 right?

It depends on what you are trying to do.  Having something in the
cloud manage something at home.  You can't reach the home over IPv4
more and more these days as.  IPv6 is the escape path for that but
you need both ends to be able to speak IPv6.
...and for firewalls to not exist. Since they do, absolutely all 
the techniques required to "reach something at home" over IPv4 are 
required for IPv6. This is on the "great myths of the advantages of 
IPv6" list.
IPv4 with NAT, you can open one host at home to remote access, or, 
in some cases, you can select different hosts by using the port 
number in lieu of the host name/address.


IPv4 with NAT, standard NAT/firewall traversal techniques are used so 
that things inside your house are reachable as necessary. Almost 
nobody configures their firewall to open up anything.


HuH?

How do I SSH into my host behind my home NAT firewall without 
configuration of the firewall?


Nobody but you and a few hundred other people on this mailing list SSH 
into hosts at your home.


Everyone else in the entire world reaches hosts at their house through 
their firewall just fine because those hosts are their Nest thermostat, 
or their Dropcam, or their PC running Skype, or maybe (in rare cases) 
something like LogMeIn.


None of those people ever touch the settings of the device they had 
delivered by their ISP and/or purchased at Best Buy. Not ever.




You are making no sense here. NAT Traversal techniques provide for 
outbound connections and/or a way that a pseudo-service can create an 
inbound connection that looks like an outbound connection to the firewall.


It does not in any way provide for generic inbound access to ordinary 
services without configuration.


So what?

Nobody (to several levels of statistical significance) needs "generic 
inbound access to ordinary services". Heck, the only "ordinary services" 
that exist any more are HTTP/HTTPS.




IPv6 — I add a permit statement to the firewall to allow the traffic 
in to each host/group of hosts that I want and I am done.


IPv6, standard NAT?firewall traversal techniques are used so that 
things inside your house are reachable as necessary. Still almost 
nobody configures their firewall to open up anything.


Why would one use NAT with IPv6… You’re making no sense there.


I didn't say you would... but you need firewall traversal, and the 
"standard NAT and firewall traversal techniques" are how you traverse 
your IPv6 firewall.




For those who do, the work needed to open up a few host/port mappings 
in IPv4 is basically identical to opening up a few hosts and ports 
for IPv6.


Not really…

For example, let’s say you have 20 machines for whom you want to allow 
inbound SSH access. In the IPv4 world, with NAT, you have to configure 
an individual port mapping for each machine and you have to either 
configure all of the SSH clients, or, specify the particular port for 
the machine you want to get to on the command line.


Ok, you go find me 1000 households where nobody in the house is on the 
NANOG list but where there are 20 machines running SSH already installed.





On the other hand, with IPv6, let’s say the machines are all on 
2001:db8::/64. Further, let’s say that I group machines for which I 
want to provide SSH access within 2001:db8::22:0:0:0/80. I can add a 
single firewall entry which covers this /80 and I’m done. I can put 
many millions of hosts within that range and they all are accessible 
directly for SSH from the outside world.


Takes about 20 seconds to configure my firewall once and then I never 
really need to worry about it again.




Yeah, so there you are manually configuring your firewall again. Which 
isn'

Re: nanog website down

2015-06-03 Thread Eric Oosting
At this time, we believe all services have been restored.

On Wed, Jun 3, 2015 at 11:16 AM, Eric Oosting 
wrote:

> This morning we suffered a hardware failure in our production environment.
> The outage affected nanog mail and web services. While mail services have
> recovered, web services are still down.
>
> We apologize for the inconvenience.
>
> -e
>


Re: nanog.org Website down ?

2015-06-03 Thread Charles van Niman
Yeah, looks like this just made it to the list:

>This morning we suffered a hardware failure in our production environment.
>The outage affected nanog mail and web services. While mail services have
>recovered, web services are still down.

On Wed, Jun 3, 2015 at 8:31 AM, Bob Evans  wrote:
> Not sure what's up - however I see what's down this AM. From the hotel
> nanog.org was not reachable. S, I tunneled out of the hotel to my
> office, still not reachable at 6:15 AM
>
> nanog.org (50.31.151.73)
> www.nanog.org (50.31.151.73)
>
> Bob Evans
> CTO
> Fiber Internet Center
>
>
>
>
>


nanog.org Website down ?

2015-06-03 Thread Bob Evans
Not sure what's up - however I see what's down this AM. From the hotel
nanog.org was not reachable. S, I tunneled out of the hotel to my
office, still not reachable at 6:15 AM

nanog.org (50.31.151.73)
www.nanog.org (50.31.151.73)

Bob Evans
CTO
Fiber Internet Center







nanog website down

2015-06-03 Thread Eric Oosting
This morning we suffered a hardware failure in our production environment.
The outage affected nanog mail and web services. While mail services have
recovered, web services are still down.

We apologize for the inconvenience.

-e


Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

2015-06-03 Thread Pavel Odintsov
Hello!

Thank you! Please share your experience after tests!

On Wed, Jun 3, 2015 at 5:50 PM, Budiwijaya  wrote:
> Yep, definitely i'll give this a trial run.
> We are developing nullroute application internally.
> I'll try to run this in our lab.
>
> On Wed, Jun 3, 2015 at 3:16 AM, Pavel Odintsov  
> wrote:
>> Hello, Nanog!
>>
>> I'm very pleased to present my open source DoS/DDoS attack monitoring
>> toolkit here!
>>
>> We have spent about 10 months for development of FastNetMon and could
>> present huge feature list now! :)
>>
>> Stop! What is FastNetMon?
>>
>> It's really very fast toolkit which could find attacked host in your
>> network and block it (or redirect to filtering appliance)
>>
>> This solution could save your network and your sleep :)
>>
>> Our site located here: https://github.com/FastVPSEestiOu/fastnetmon
>>
>> We support following engines for traffic capture:
>> - Netflow (v5, v9 and IPFIX)
>> - sFLOW v5
>> - port mirror/SPAN (PF_RING and netmap supported)
>>
>> Also we have deep integration with ExaBGP (huge thanks to Thomas
>> Mangin) for triggering blackhole on the Core Router or upstream.
>>
>> Since 1.0 version we have added support for following features:
>> - Ability to detect most popular attack types: syn_flood, icmp_flood,
>> udp_flood, ip_fragmentation_flood
>> - Add support for Netmap for Linux (we have prepared special driver
>> for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap)
>> and FreeBSD.
>> - Add support for PF_RING ZC (very fast but need license from ntop folks)
>> - Add ability to collect netflow v9/IPFIX data from multiple devices
>> with different templates set
>> - Basic support for IPv6 (we could receive netflow data over IPv6)
>> - Add plugin support for capture engines
>> - Add support of L2TP decapsulation (important for DDoS attack
>> detection inside tunnel)
>> - Add ability to store attack details in Redis
>> - Add Graphite/Grafana integration for traffic visualization
>> - Add systemd unit file
>> - Add ability to unblock host after some timeout
>> - Introduce support of moving average for all counters
>> - Add ExaBGP integration. We could announce attacked host with BGP to
>> border router or uplink
>> - Add so much details in attack report
>> - Add ability to store attack fingerprint in file
>>
>> We have complete support for following platforms:
>> - Fedora 21
>> - Debian 6, 7, 8
>> - CentOS 6, 7
>> - FreeBSD 9, 10, 11
>> - DragonflyBSD 4
>> - MacOS X 10.10
>>
>> From network equipment side we have tested solution with:
>> - Cisco ASR
>> - Juniper MX
>> - Extreme Summit
>> - ipt_NETFLOW Linux
>>
>> We have binary packages for this operation systems:
>> - CentOS 6: 
>> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6
>> - CentOS 7: 
>> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7
>> - Fedora 21: 
>> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21
>> - FreeBSD: 
>> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port
>>
>> For any other operation systems we recommend automatic installer
>> script: 
>> https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md
>>
>> Please join to our mail list or ask about anything here
>> https://groups.google.com/forum/#!forum/fastnetmon
>>
>> Thank you for your attention!
>>
>> --
>> Sincerely yours, Pavel Odintsov



-- 
Sincerely yours, Pavel Odintsov


Re: AWS Elastic IP architecture

2015-06-03 Thread Owen DeLong

> On Jun 2, 2015, at 4:08 PM, Matthew Kaufman  wrote:
> 
> 
> On 6/2/15 2:35 AM, Owen DeLong wrote:
>>> On Jun 2, 2015, at 5:49 AM, Matthew Kaufman  wrote:
>>> 
>>> On 6/1/2015 6:32 PM, Mark Andrews wrote:
 In message 
  , Christopher Morrow writes:
> On Mon, Jun 1, 2015 at 9:02 PM, Ca By  wrote:
>> On Monday, June 1, 2015, Mark Andrews  wrote:
>>> In message
>>> 
>>> , Christopher Morrow writes:
 So... I don't really see any of the above arguments for v6 in a vm
 setup to really hold water in the short term at least.  I think for
 sure you'll want v6 for public services 'soon' (arguably like 10 yrs
 ago so you'd get practice and operational experience and ...) but for
 the rest sure it's 'nice', and 'cute', but really not required for
 operations (unless you have v6 only customers)
>>> Everyone has effectively IPv6-only customers today.  IPv6 native +
>>> CGN only works for services.  Similarly DS-Lite and 464XLAT.
> ok, and for the example of 'put my service in the cloud' ... the
> service is still accessible over ipv4 right?
 It depends on what you are trying to do.  Having something in the
 cloud manage something at home.  You can't reach the home over IPv4
 more and more these days as.  IPv6 is the escape path for that but
 you need both ends to be able to speak IPv6.
>>> ...and for firewalls to not exist. Since they do, absolutely all the 
>>> techniques required to "reach something at home" over IPv4 are required for 
>>> IPv6. This is on the "great myths of the advantages of IPv6" list.
>> IPv4 with NAT, you can open one host at home to remote access, or, in some 
>> cases, you can select different hosts by using the port number in lieu of 
>> the host name/address.
> 
> IPv4 with NAT, standard NAT/firewall traversal techniques are used so that 
> things inside your house are reachable as necessary. Almost nobody configures 
> their firewall to open up anything.

HuH?

How do I SSH into my host behind my home NAT firewall without configuration of 
the firewall?

You are making no sense here. NAT Traversal techniques provide for outbound 
connections and/or a way that a pseudo-service can create an inbound connection 
that looks like an outbound connection to the firewall.

It does not in any way provide for generic inbound access to ordinary services 
without configuration.

>> IPv6 — I add a permit statement to the firewall to allow the traffic in to 
>> each host/group of hosts that I want and I am done.
> 
> IPv6, standard NAT?firewall traversal techniques are used so that things 
> inside your house are reachable as necessary. Still almost nobody configures 
> their firewall to open up anything.

Why would one use NAT with IPv6… You’re making no sense there.

> For those who do, the work needed to open up a few host/port mappings in IPv4 
> is basically identical to opening up a few hosts and ports for IPv6.

Not really…

For example, let’s say you have 20 machines for whom you want to allow inbound 
SSH access. In the IPv4 world, with NAT, you have to configure an individual 
port mapping for each machine and you have to either configure all of the SSH 
clients, or, specify the particular port for the machine you want to get to on 
the command line.

On the other hand, with IPv6, let’s say the machines are all on 2001:db8::/64. 
Further, let’s say that I group machines for which I want to provide SSH access 
within 2001:db8::22:0:0:0/80. I can add a single firewall entry which covers 
this /80 and I’m done. I can put many millions of hosts within that range and 
they all are accessible directly for SSH from the outside world.

Takes about 20 seconds to configure my firewall once and then I never really 
need to worry about it again.

Further, in the IPv4 case, I need special client configuration or client 
invocation effort every time, while with the IPv6 case, I can simply put the 
hostname in DNS and then use the name thereafter.

>> I do not see the above as being equal effort or as yielding equal results.
> 
> For the automatic traversal cases, the end-user effort is identical.

Sure, but automatic traversal is the exception not the rule when considering 
internet services.

> For the incredibly rare case of manual configuration (which as NANOG 
> participants we often forget, since we're adjusting our routers all the time) 
> there is almost no difference for most use cases.

Not true as noted above.

> Yes, the results are marginally superior in the IPv6 case. Nobody cares.

I would argue that it’s more than marginal.

>> As such, I’d say that your statement gets added to the great myths of 
>> Matthew Kauffman rather than there being any myth about this being an IPv6 
>> advantage.
>> 
>> I can assure you that it is MUCH easier for me to remote-manage my mother’s 
>> machines over their IPv6 addresses than to get to them over IPv4.
> 
> Only because you've insisted on doing i

Re: Routing Insecurity (Re: BGP in the Washington Post)

2015-06-03 Thread Roland Dobbins


On 3 Jun 2015, at 9:04, Ethan Katz-Bassett wrote:

The same folks also followed up that workshop paper with a longer 
paper on

the topic:
https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf


Thanks to you and to Dale Carter - I was unaware of these papers.

Nonetheless, the risk remains of authorities interfering with the BGP as 
they've interfered with the DNS.


I'm very cognizant of the non-trivial effects of route-hijacking, having 
been involved in helping get a few of them resolved.  Nonetheless, my 
natural skepticism leads me to wonder whether we aren't better off with 
the problematic, error-prone system we have (not to mention the 
enumeration and enhanced DDoS impact of packeting routers doing crypto 
for their BGP sessions and which aren't protected via iACLs/GTSM).


---
Roland Dobbins 


Re: BGP in the Washngton Post

2015-06-03 Thread Saku Ytti
On (2015-06-02 21:51 -0700), Randy Bush wrote:

> The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent
> with the internet IP address allocation administration, the IANA,

Hijacking this thread. I've requested both our main vendors for 'loose rpki'
years ago, nothing has happened.
SP trying to deploy RPKI may have negative business impact, if far-end
fat-fingers and fail RPKI, then my connectivity to them is broken, while
competitor who isn't running RPKI still works fine. Essentially suits may view
deploying RPKI as spending money to lose money.

Comfortable slow-start would be to have 'loose rpki' which essentially has 3
adj-ribs, verified-rpki, missing-rpki, failed-rpki. Then loc-rib is build from
each of these, so that no overlapping routes are installed from inferior ribs.
That is, if verified-rpki has 192.0.2.0/24, missing/failed-rpki cannot install
it or more-specific of it.

Net result is, we will always use verified-rpki route if existing, but if no
other options exist, we're happy to use any available route.

JunOS allows routing-policy to match on verified status, but this cannot
obviously override more-specifics.

-- 
  ++ytti


Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

2015-06-03 Thread Johan Kooijman
Interesting project, Pavel. I'll most certainly give this a trial run.

On Tue, Jun 2, 2015 at 10:16 PM, Pavel Odintsov 
wrote:

> Hello, Nanog!
>
> I'm very pleased to present my open source DoS/DDoS attack monitoring
> toolkit here!
>
> We have spent about 10 months for development of FastNetMon and could
> present huge feature list now! :)
>
> Stop! What is FastNetMon?
>
> It's really very fast toolkit which could find attacked host in your
> network and block it (or redirect to filtering appliance)
>
> This solution could save your network and your sleep :)
>
> Our site located here: https://github.com/FastVPSEestiOu/fastnetmon
>
> We support following engines for traffic capture:
> - Netflow (v5, v9 and IPFIX)
> - sFLOW v5
> - port mirror/SPAN (PF_RING and netmap supported)
>
> Also we have deep integration with ExaBGP (huge thanks to Thomas
> Mangin) for triggering blackhole on the Core Router or upstream.
>
> Since 1.0 version we have added support for following features:
> - Ability to detect most popular attack types: syn_flood, icmp_flood,
> udp_flood, ip_fragmentation_flood
> - Add support for Netmap for Linux (we have prepared special driver
> for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap)
> and FreeBSD.
> - Add support for PF_RING ZC (very fast but need license from ntop folks)
> - Add ability to collect netflow v9/IPFIX data from multiple devices
> with different templates set
> - Basic support for IPv6 (we could receive netflow data over IPv6)
> - Add plugin support for capture engines
> - Add support of L2TP decapsulation (important for DDoS attack
> detection inside tunnel)
> - Add ability to store attack details in Redis
> - Add Graphite/Grafana integration for traffic visualization
> - Add systemd unit file
> - Add ability to unblock host after some timeout
> - Introduce support of moving average for all counters
> - Add ExaBGP integration. We could announce attacked host with BGP to
> border router or uplink
> - Add so much details in attack report
> - Add ability to store attack fingerprint in file
>
> We have complete support for following platforms:
> - Fedora 21
> - Debian 6, 7, 8
> - CentOS 6, 7
> - FreeBSD 9, 10, 11
> - DragonflyBSD 4
> - MacOS X 10.10
>
> From network equipment side we have tested solution with:
> - Cisco ASR
> - Juniper MX
> - Extreme Summit
> - ipt_NETFLOW Linux
>
> We have binary packages for this operation systems:
> - CentOS 6:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6
> - CentOS 7:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7
> - Fedora 21:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21
> - FreeBSD:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port
>
> For any other operation systems we recommend automatic installer
> script:
> https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md
>
> Please join to our mail list or ask about anything here
> https://groups.google.com/forum/#!forum/fastnetmon
>
> Thank you for your attention!
>
> --
> Sincerely yours, Pavel Odintsov
>



-- 
Met vriendelijke groeten / With kind regards,
Johan Kooijman


Re: WiFi courses/vendors recommendation

2015-06-03 Thread Alan Buxey
+1 for CWNP courses.  The CWNA and CWDP cover RF quite well too you'll pick 
up most of what's needed. ..imho most of the vendor specific courses only 
benefit is to tell you how to manage their control plane.  Which button to 
click on the interface etc ;)

alan